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Why GAO Did This Study 

The federal government is 
accountable for how its agencies 
and grantees spend more than 
$2 trillion of taxpayer dollars and is 
responsible for safeguarding those 
funds against improper payments 
as well as for recouping those 
funds when improper payments 
occur. The Congress enacted the 
Improper Payments Information 
Act of 2002 (IPIA) and the 
Recovery Auditing Act to address 
these issues. Fiscal year 2006 
marked the third year that agencies 
were required to report improper 
payment and recovery audit 
information in their Performance 
and Accountability Reports. The 
Department of Homeland Security 
(DHS) reported limited information 
during these 3 years. 

GAO was asked to (1) determine 
the extent to which DHS has 
implemented the requirements of 
IPIA, (2) identify actions DHS has 
under way to improve IPIA 
compliance and reporting, and 
(3) determine what efforts DHS has 
in place to recover improper 
payments. To accomplish this, GAO 
analyzed DHS's internal guidance 
and action plans, and reviewed 
information reported in its 
Performance and Accountability 
Reports. 



What GAO Recommends 



GAO makes four recommendations 
to DHS to help improve its efforts 
to implement IPIA and recover 
improper payments. DHS 
concurred with the 
recommendations. 

www.gao.gov/cgi-bin/getrpt7GAO-07-913. 

To view the full product, including the scope 
and methodology, click on the link above. 
For more information, contact McCoy 
Williams at (202) 512-9095 or 
williamsml ©gao.gov. 



What GAO Found 

DHS has made some progress in implementing IPIA requirements, but much 
more work remains for the agency to become compliant with IPIA. For 
example, while DHS has made progress in identifying its programs, for fiscal 
year 2006, the agency did not perform the required first step — a risk 
assessment — on approximately $13 billion of its more than $29 billion in 
disbursements subject to IPIA. Until DHS fully assesses its programs, the 
potential magnitude of improper payments is unknown. 

• For the remaining $16 billion, DHS determined that two programs — 
Individuals and Households Program (IHP) assistance payments and 
disaster-related vendor payments — were at high risk for issuing 
improper payments and reported related estimates. 

• For the $13 billion for which no risk assessment was performed, DHS 
has encountered challenges with IPIA implementation. Of this amount, 
over $6 billion relates to payments for grant programs. Developing a plan 
to assess risk and potentially test grant payments is important given that 
the DHS Office of Inspector General, GAO, and other auditors have 
identified weaknesses in grant programs. This will allow DHS to gain a 
better understanding of its risk for improper payments and potentially 
reduce future improper payments. 

DHS has actions under way to improve IPIA reporting and compliance, but 
does not plan to be fully compliant in fiscal year 2007. DHS has prepared a 
plan to address its noncompliance with IPIA, which included updating its 
guidance to focus on program identification and risk assessments to build a 
foundation for a sustainable IPIA program. In addition, DHS has developed 
plans to reduce improper payments related to its two identified high-risk 
programs. However, until DHS fully completes the required risk assessments 
for all of its programs and then estimates for risk-susceptible programs, it is 
not known whether other programs have significant improper payments that 
also need to be addressed. 

In addition, DHS's efforts to recover improper payments could be improved. 
According to DHS, four of its components meet the criteria for recovery 
auditing as specified in the Recovery Auditing Act. These four components 
make at least $4 billion of contractor payments each fiscal year. DHS 
encountered problems that kept it from reporting on recovery audit efforts 
during fiscal year 2006 for three of the four components, and did not perform 
recovery auditing at the fourth component. In March 2007, DHS revised its 
guidance to clarify what is expected; however, ongoing oversight will be 
necessary to monitor the components' progress. In addition, DHS has 
reported limited information on its efforts to recover specific improper 
payments identified during its testing of high-risk programs. Although DHS is 
not currently required to do so, reporting this information would provide a 
more complete picture of the agency's actions to recover payments that it 
has identified as being improper. 
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United States Government Accountability Office 
Washington, DC 20548 



September 19, 2007 

The Honorable Joseph I. Lieberman 
Chairman 

The Honorable Susan M. Collins 
Ranking Member 

Committee on Homeland Security and Governmental Affairs 
United States Senate 

The Honorable Thomas R. Carper 
Chairman 

The Honorable Tom Coburn 
Ranking Member 

Subcommittee on Federal Financial Management, 

Government Information, Federal Services, 

and International Security 
Committee on Homeland Security and Governmental Affairs 
United States Senate 

Over the past several years, our work has shown that improper payments 
continue to be a substantial problem for federal agencies. As the steward 
of taxpayer dollars, the federal government is accountable for how its 
agencies and grantees spend more than $2 trillion of taxpayer dollars each 
year and is responsible for safeguarding those funds against improper 
payments. Fiscal year 2004 marked the first year in which agencies were 
required to report improper payments 1 information in their Performance 
and Accountability Reports (PAR) under the Improper Payments 
Information Act of 2002 (IPIA). 2 As a result, federal agencies reported an 
estimated $46 billion in improper payments for fiscal year 2004. Although 
governmentwide reported amounts of estimated improper payments 
decreased between fiscal year 2004 and fiscal year 2006, the reported 
amount in fiscal year 2006 included more than $800 million as a result of 



improper payments are defined as any payment that should not have been made or that 
was made in an incorrect amount (including overpayments and underpayments) under 
statutory, contractual, administrative, or other legally applicable requirements. It includes 
any payment to an ineligible recipient, any payment for an ineligible service, any duplicate 
payment, payments for services not received, and any payment that does not account for 
credit for applicable discounts. 

2 Pub. L. No. 107-300, 116 Stat. 2350 (Nov. 26, 2002). 
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improper disaster-related payments made by the Federal Emergency 
Management Agency (FEMA) within the Department of Homeland 
Security (DHS) in response to the 2005 Gulf Coast hurricanes. Since its 
establishment in March 2003, DHS, whose annual budget generally tops 
$30 billion, has yet to comply with IPIA. Moreover, during fiscal year 2006, 
its independent auditors continued to report significant internal control 
weaknesses such as weaknesses in financial management and oversight, 
and a weak control environment. A weak internal control environment 
increases an agency's susceptibility to improper payments. 

Generally, agencies, including DHS, must perform four key steps to 
address the specific improper payment reporting requirements found in 
IPIA and related Office of Management and Budget (OMB) guidance — 
(1) perform a risk assessment of all programs and activities, (2) estimate 
improper payments for risk-susceptible programs and activities, 
(3) implement a plan to reduce improper payments for programs with 
estimates exceeding $10 million, and (4) annually report improper 
payment estimates and actions to reduce them. In addition, agencies that 
enter into contracts with a total value exceeding $500 million in a fiscal 
year are required under section 831 of the National Defense Authorization 
Act for Fiscal Year 2002, commonly known as the Recovery Auditing Act, 
to have cost-effective programs for identifying errors in payments to 
contractors and for recovering amounts erroneously paid. 3 

Given the reported condition of DHS's internal controls and reported 
noncompliance with IPIA, you asked us to conduct a review of the 
department's implementation of IPIA. Specifically, our objectives were to 
(1) determine the extent to which DHS has implemented the requirements 
of IPIA, (2) identify actions DHS has under way to improve IPIA 
compliance and reporting, and (3) determine what efforts DHS has in 
place to recover improper payments. To address these objectives, we 
reviewed applicable improper payments legislation, OMB guidance, and 
agency Office of Inspector General (OIG) reports. We also reviewed 
improper payment information reported in DHS's PARs over the past 
3 fiscal years (2004-2006). In addition, we analyzed DHS's regulations and 
methodology for identifying programs and activities highly susceptible to 
improper payments, interviewed officials from the Office of the Chief 
Financial Officer (OCFO), reviewed workpapers prepared by DHS's 



Tub. L. No. 107-107, div. A, title VIII, § 831, 115 Stat. 1012, 1186 (Dec. 28, 2001) (codified at 
31 U.S.C. §§ 3561-3567). 
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independent auditor, and summarized the results of this review. In 
addition, we reviewed DHS's plans to reduce improper payments and 
become compliant with IPIA and the Recovery Auditing Act. 

To assess the reliability of data reported in DHS's PARs related to 
improper payments and recovery audit efforts, we (1) reviewed existing 
information about the data and the system that produced them and 
(2) interviewed agency officials knowledgeable about the data. We 
determined that the data were sufficiently reliable for the purposes of this 
report. We conducted our work from October 2006 through June 2007 in 
accordance with generally accepted government auditing standards. See 
appendix I for more details on our scope and methodology. 



RGSllltS in Brief DHS has made some progress over the last 3 fiscal years in attempting to 

* * fully implement IPIA requirements, but much more work remains to be 

done. Although DHS has made progress in identifying its programs, for 
fiscal year 2006, DHS had not yet performed the required first step — a risk 
assessment — on programs with approximately $13 billion of its more than 
$29 billion in disbursements subject to IPIA. For the remaining $16 billion 
in DHS disbursements subject to IPIA, DHS determined that two programs 
were at high risk for issuing improper payments — the Individuals and 
Households Program (IHP) assistance payments and disaster-related 
vendor payments. DHS performed statistical sample testing of these 
programs and estimated FEMA improper payments (step 2) from 
September 2005 through March 2006 of $450 million (8.56 percent) of IHP 
assistance payments and $319 million (7.44 percent) of disaster-related 
vendor payments. 4 

DHS has developed plans to reduce future improper payments for these 
two programs (step 3) and reported these estimates in its fiscal year 2006 
PAR (step 4). However, DHS's independent auditor found that the time 



4 U.S. Department of Homeland Security, Performance and Accountability Report Fiscal 
Year 2006 (Washington, D.C.: Nov. 15, 2006). DHS also reported estimated improper 
payments for all of fiscal year 2006 for these two programs. However, DHS calculated the 
fiscal year 2006 estimates by applying the estimated error percentage rates from the 
September 2005 through March 2006 testing to the fiscal year 2006 outlay figures. The 
estimated error percentage rates for the September 2005 through March 2006 testing have a 
90 percent confidence interval of plus or minus 2.32 percentage points for IHP assistance 
payments and plus or minus 2.62 percentage points for disaster-related vendor payments 
based on statistically valid cluster samples. See IPIA reporting details in DHS's fiscal year 
2006 PAR. 
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period covered for testing and reporting (i.e., September 2005 through 
March 2006) was not in accordance with OMB's implementing guidance, 
which also contributed to DHS's inability to meet the requirements of IPIA. 
While DHS concluded that none of its other programs that DHS subjected 
to a risk assessment met OMB's criteria for susceptibility to significant 
improper payments, the basis for this conclusion was limited in scope. For 
example, DHS only tested programs with disbursements greater than 
$100 million and did not perform a qualitative risk assessment of all 
program operations such as an assessment of internal controls, oversight 
and monitoring activities, and results from external audits. 5 

For the programs with $13 billion in payments for which no risk 
assessment was performed in fiscal year 2006, DHS has encountered 
challenges with IPIA implementation. Of this amount, over $6 billion 
relates to payments for grant programs, including $3 billion in payments 
made for the National Flood Insurance Program (NFIP). Performing risk 
assessments of grant programs and testing grant payments can be difficult 
because of the many layers of grant recipients, as well as the types of 
recipients and number of grant programs. During fiscal year 2006, DHS 
awarded grants to over 5 million recipients for 70 different grant programs. 
Developing a plan to assess risk and potentially test grant payments is 
important given the fact that the DHS OIG has identified weaknesses in 
grant programs and considers grants management to be one of DHS's 
major management challenges. Another challenge for DHS is that we 
recently added the NFIP, one of DHS's largest grant programs, to our high- 
risk list in March 2006. 6 Assessing grant programs, and if necessary, 
performing IPIA testing, will allow DHS to gain an understanding of its risk 
for improper payments and potentially reduce future improper payments. 

DHS has actions under way to improve IPIA reporting and compliance, but 
does not plan to be compliant in fiscal year 2007 and will likely not be 
compliant in fiscal year 2008. Actions under way include developing plans 



5 For those programs with disbursements between $10 million and $100 million, DHS 
components were instructed to complete a qualitative risk assessment — a series of 
questions to qualitatively ascertain whether a program is at high risk for issuing improper 
payments. 

6 GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.: January 2007). We 
placed the National Flood Insurance Program (NFIP) on our high-risk list in March 2006 
because it is unlikely that the NFIP will generate sufficient revenues to repay the billions 
borrowed from the Department of the Treasury to cover flood claims from the 2005 
hurricanes. 
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to reduce improper payments related to its two identified high-risk 
disaster-related programs and preparing departmentwide corrective action 
plans to address internal control weaknesses and noncompliance issues, 
including those related to IPIA. In addition, DHS recently updated its 
guidance for implementing IPIA and plans to focus on program 
identification and risk assessments to build a foundation for a sustainable 
IPIA program, rather than aiming for compliance during fiscal year 2007. 
The agency also plans to hold workshops for its components on sample 
testing and reporting to ensure that they have a consistent understanding 
of what is expected with regard to IPIA testing and reporting. While DHS's 
plans appear to address IPIA compliance issues, implementation will take 
significant time and effort as DHS has already missed some key milestones 
related to the identification of IPIA programs for each agency component. 
Solidifying its identification of IPIA programs and completing a thorough 
risk assessment process will be important first steps to adequately address 
IPIA reporting requirements. 

Lastly, we identified several weaknesses in DHS's efforts to recover 
known improper payments and to comply with the Recovery Auditing Act. 
According to DHS, four of its components — Immigration and Customs 
Enforcement (ICE), Customs and Border Protection (CBP), U.S. Coast 
Guard (USCG), and FEMA — meet the criteria for recovery auditing as 
specified in the Recovery Auditing Act (i.e., each has over $500 million in 
annual contractor payments). 7 DHS began recovery auditing efforts during 
fiscal year 2004, hiring an independent contractor who conducted 
recovery audit work at two major components, ICE and CBP; however, 
DHS was not able to report on these efforts for that year because initial 
findings were not available in time to be included in its annual PAR. DHS 
continued these efforts in fiscal year 2005 and its contractor identified 
more than $2.1 million of improper payments and recovered more than 
$1.2 million (over 50 percent of identified improper payments). However, 
when DHS attempted to expand its recovery audit efforts to USCG, it 
encountered problems with obtaining disbursement data. In addition, DHS 
reported that delays in obtaining security clearances for contract 
personnel severely hampered completion of recovery audit work at CBP 
and ICE during fiscal year 2006. As a result, DHS did not report on 
recovery audits during fiscal year 2006. 



7 DHS as a whole meets the criteria for recovery auditing as specified in the Recovery 
Auditing Act, but the agency has identified specific components that individually meet the 
requirements and focuses its recovery auditing efforts on those components. 
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In March 2007, DHS revised its guidance for recovery auditing for fiscal 
year 2007 — noting the disbursement data and security clearance issues 
encountered in previous years — emphasizing timelines to help ensure that 
all applicable components are able to complete recovery audits and report 
on their efforts going forward. This guidance clarifies what is expected of 
components; however, ongoing oversight by the OCFO will be necessary 
to help ensure that the components are progressing with their recovery 
auditing efforts and will be able to successfully report on results at year 
end. In addition, DHS has not yet reported on its efforts to recover 
improper payments identified during its testing of FEMA's disaster-related 
vendor payments and has reported limited information on its efforts to 
recover identified improper IHP assistance payments. DHS is currently not 
required to report on these efforts, but reporting this information would 
provide a more complete picture of the agency's actions to recover 
payments that it has identified as being improper. 

We are making four recommendations to DHS to help improve its efforts 
to implement IPIA and recover improper payments by focusing on 
performing risk assessments and reporting on efforts to recover improper 
payments. 

We provided a draft of this report to DHS for comment. DHS concurred 
with our recommendations, and its comments, along with our evaluation, 
are discussed in the Agency Comments and Our Evaluation section of this 
report. The comments are also reprinted in their entirety in appendix II. 



Background ^ ur wor ^ over * ne P as * severa l years has demonstrated that improper 

" payments are a long-standing, widespread, and significant problem in the 

federal government. IPIA has increased visibility over improper payments 
by requiring executive branch agency heads to identify programs and 
activities susceptible to significant improper payments, estimate amounts 
improperly paid, and report on the amounts of improper payments and 
their actions to reduce them. Similarly, the Recovery Auditing Act 
provides an impetus for applicable agencies to systematically identify and 
recover contract overpayments. As the steward of taxpayer dollars, the 
federal government is accountable for how its agencies and grantees 
spend hundreds of billions of taxpayer dollars and is responsible for 
safeguarding those funds against improper payments as well as having 
mechanisms in place to recoup those funds when improper payments 
occur. 



Page 6 



GAO-07-913 DHS Improper Payments 



Improper Payments IPIA was enacted in November 2002 with the major objective of enhancing 

Information Act Of 2002 t ne accuracy and integrity of federal payments. IPIA requires executive 

branch agency heads to review their programs and activities annually and 
identify those that may be susceptible to significant improper payments. 
For each program and activity agencies identify as susceptible, the act 
requires them to estimate the annual amount of improper payments and to 
submit those estimates to the Congress. The act further requires that for 
programs for which estimated improper payments exceed $10 million, 
agencies are to report annually to the Congress on the actions they are 
taking to reduce those payments. 

The act also requires the Director of OMB to prescribe guidance for 
agencies to use in implementing IPIA. OMB issued implementing guidance 8 
which requires the use of a systematic method for the annual review and 
identification of programs and activities that are susceptible to significant 
improper payments. The guidance defines significant improper payments 
as those in any particular program that exceed both 2.5 percent of 
program payments and $10 million annually. 9 It requires agencies to 
estimate improper payments annually using statistically valid techniques 
for each susceptible program or activity. For those agency programs 
determined to be susceptible to significant improper payments and with 
estimated annual improper payments greater than $10 million, IPIA and 
related OMB guidance require each agency to annually report the results 
of its efforts to reduce improper payments. OMB has stated that having 
high-quality risk assessments is critical to meeting the objectives of 
identifying improper payments and is essential for performing corrective 
actions to eliminate payment errors. 10 Figure 1 provides an overview of the 
four key steps OMB requires agencies to perform in meeting the improper 
payment reporting requirements. 



Appendix C to OMB Circular No. A-123 consolidates three memorandums previously 
issued by OMB. These memorandums are: M-03-07, "Programs to Identify and Recover 
Erroneous Payments to Contractors" (Jan. 16, 2003); M-03-12, "Allowability of Contingency 
Fee Contracts for Recovery Audits" (May 8, 2003); and M-03-13, "Improper Payments 
Information Act of 2002 (Public Law 107-300)" (May 21, 2003). 

9 IPIA does not mention the "exceeding the 2.5 percent of program payments" threshold that 
OMB uses for identifying and estimating improper payments. 

10 OMB, Improving the Accuracy and Integrity of Federal Payments (Washington, D.C.: 
Jan. 31, 2007). 
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Figure 1 : Required Steps to Identify, Estimate, Reduce, and Report Improper 
Payment Information 




Improper Payments-Required Steps 

| | 1. Perform risk assessment 

Annually review all programs and activities to identify those 
susceptible to significant improper payments, defined by OMB as 
exceeding $10 million and 2.5 percent of program payments. 

| | 2. Estimate improper payments 

Estimate improper payments for programs susceptible to 
significant improper payments. 

i ] 3. Implement a plan 

Implement a plan to reduce improper payments. 

j | 4. Annually report 

Annually report improper payment estimates and actions to 
reduce them. 



Source: GAO. 



Recovery Auditing Act In addition, under certain conditions, applicable agencies are required to 

report on their efforts to recover improper payments made to contractors 
under section 831 of the National Defense Authorization Act for Fiscal 
Year 2002, commonly known as the Recovery Auditing Act. This legislation 
contains a provision that requires executive branch agencies entering into 
contracts with a total value exceeding $500 million in a fiscal year to have 
cost-effective programs for identifying errors in paying contractors and for 
recovering amounts erroneously paid. The act further states that a 
required element of such a program is the use of recovery audits and 
recovery activities. The law authorizes federal agencies to retain recovered 
funds to cover actual administrative costs as well as to pay other 
contractors, such as collection agencies. Agencies that are required to 
undertake recovery audit programs were directed by OMB to provide 
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annual reports on their recovery audit efforts, along with improper 
payment reporting details, in an appendix to their PARs. 



OMB Guidance and In August 2006, OMB revised its IPIA implementing guidance. The revision 

Initiatives consolidates into Appendix C of OMB Circular No. A-123, Management's 

Responsibility for Internal Control, all guidance for improper payments 
and recovery auditing reporting. 11 While inconsistent with the language in 
IPIA, the revised guidance allows for risk assessments to be conducted 
less often than annually for programs where improper payment baselines 
are already established, are in the process of being measured, or are 
scheduled to be measured by an established date. Although OMB kept its 
criteria for defining significant improper payments as those exceeding 
both 2.5 percent of program payments and $10 million, OMB added that it 
may determine on a case-by-case basis that certain programs that do not 
meet the threshold may be subject to the annual reporting requirement. 
Additionally, the revised guidance allows agencies to use alternative 
sampling methodologies and requires agencies to report on and provide a 
justification for using these methodologies in their PARs. 12 This revised 
guidance is effective for agencies' fiscal year 2006 improper payment 
estimating and reporting in the PARs or annual reports. 

Other OMB guidance states that agencies must describe their corrective 
actions for reducing the estimate rate and amount of improper payments. 13 
Related to corrective actions, OMB's implementing guidance for IPIA 
requires that agencies implement a plan to reduce erroneous payments, 
including identifying the following. 14 

• Root causes — For all programs and activities with erroneous payments 
exceeding $10 million, agencies shall identify the reasons their programs 



OMB Circular No. A-123 provides a central reference point for guidance to federal 
managers on improving the accountability and effectiveness of federal programs and 
operations by establishing, assessing, correcting, and reporting on internal control. The 
circular emphasizes the need for integrated and coordinated internal control assessments 
that synchronize all internal control-related activities. For prior improper payments 
guidance, see footnote 8. 

12 An example of an alternative sampling methodology includes developing an annual error 
rate for a component of the program. 

13 OMB Circular No. A-136, Financial Reporting Requirements, § II.5.7 (June 29, 2007). 
"Appendix C of OMB Circular No. A-123. 
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and activities are at risk of erroneous payments and put in place a 
corrective action plan to reduce erroneous payments. 

• Reduction targets — Targets are necessary for future improper payment 
levels and a timeline within which the targets will be reached. 

• Accountability — Ensure that their managers and accountable officers 
(including the agency head) are held accountable for reducing improper 
payments. Agencies shall assess whether they have the information 
systems and other infrastructure needed to reduce improper payments to 
minimal cost-effective levels, and identify any statutory or regulatory 
barriers that may limit agencies' corrective actions in reducing improper 
payments. 

OMB has also established Eliminating Improper Payments as a program- 
specific initiative under the President's Management Agenda (PMA). This 
separate PMA program initiative began in the first quarter of fiscal year 
2005. Previously, agency efforts related to improper payments were 
tracked along with other financial management activities as part of the 
Improving Financial Performance initiative of the PMA. The objective of 
establishing a separate initiative for improper payments was to ensure that 
agency managers are held accountable for meeting the goals of IPIA and 
are therefore dedicating the necessary attention and resources to meeting 
IPIA requirements. This program initiative establishes an accountability 
framework for ensuring that federal agencies initiate all necessary 
financial management improvements for addressing this significant and 
widespread problem. Specifically, agencies are to measure their improper 
payments annually, develop improvement targets and corrective actions, 
and track the results annually to ensure the corrective actions are 
effective. 



While DHS has taken actions over the last 3 fiscal years to implement IPIA 
requirements, much more work needs to be done. In each of the last 
3 fiscal years, DHS was unable to perform risk assessments for all of its 
programs and activities — the first step of IPIA implementation. This and 
other issues, such as concerns about program identification and testwork 
performed, contributed to DHS's reported noncompliance with IPIA over 
the last 3 fiscal years. Until DHS is able to fully assess its programs, the 
potential magnitude of improper payments cannot be estimated. 

For fiscal year 2006, DHS did not perform risk assessments on programs 
with $13 billion of its $29 billion of payments subject to IPIA. Over 
$6 billion of this amount related to payments for grant programs. 
Performing risk assessments of grant programs and testing grant payments 



DHS Has Made Some 
Progress in 
Implementing the 
Requirements of IPIA, 
but Remains 
Noncompliant 
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can be difficult because of the many layers of grant recipients, as well as 
the type of recipients and number of grant programs. However, developing 
a plan to assess risk and potentially test grant payments is important 
because of financial management weaknesses reported at DHS grantees 
and concerns about DHS's grants management process. Developing a plan 
will also allow DHS to gain an understanding of its risk with respect to 
grant payments and potentially reduce future improper payments. 



DHS's Efforts to Meet IPIA To comply with the requirements of IPIA and related guidance from OMB, 
Requirements BUS initiated a plan in fiscal year 2004 to reduce its susceptibility to 

issuing improper payments by having each of its organizational elements 
complete a risk assessment of major programs 15 by assigning each one an 
overall risk score. Based on this assessment, none of DHS's programs 
were found to be high risk; however, DHS's independent auditor reported 
that the agency was not in compliance with IPIA mainly because it had not 
yet instituted a systematic method of reviewing all programs and 
identifying those it believed were susceptible to significant erroneous 
payments. 

In fiscal year 2005, the auditor again reported noncompliance issues 
regarding the adequacy of the agency's risk assessments. Based on DHS's 
guidance, each component selected its largest program and completed 
statistical testing. DHS regarded this quantitative selection as its risk 
assessment process and did not incorporate qualitative factors. As with 
fiscal year 2004, DHS reported that it did not identify any programs or 
activities as being susceptible to significant improper payments and its 
auditors again reported that DHS was not in compliance with IPIA. 

The DHS OCFO worked with components during fiscal year 2006 to 
continue to refine the population of improper payment programs by 
having the components group Treasury Appropriation Fund Symbols 
(TAFS) 16 into logical, recognizable programs. After identifying the 



°OMB's implementing guidance defines a "program" as activities or sets of activities 
recognized as programs by the public, OMB, or the Congress, as well as those that entail 
program management or policy direction. This definition includes, but is not limited to, all 
grants, regulatory activities, research and development activities, direct federal programs, 
procurements including capital assets and service acquisition, and credit programs. It also 
includes the activities engaged in by the agency in support of its programs. 

16 OMB Circular No. A-ll, Preparation, Submission, and Execution of the Budget (revised 
July 2, 2007), defines TAFS as a summary account established in the Treasury for each 
appropriation and fund. 
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population of disbursements for fiscal year 2006 IPIA testing, DHS 
components provided the necessary payment data to a contractor with 
expertise in statistical testing. The contractor constructed stratified 
sampling plans and samples for DHS components to perform IPIA testing 
for DHS's risk assessment process. This testing was expanded from fiscal 
year 2005 to include, based on DHS's revised guidance, all DHS programs 
issuing more than $100 million of IPIA-relevant payments. 17 Two programs 
were found to be high risk. However, despite these efforts, DHS's 
independent auditor found that the agency was still not in compliance with 
IPIA as reported in its fiscal year 2006 PAR, primarily because not all 
programs subject to IPIA were tested, and the population of 
disbursements tested for some programs was not complete. Appendix III 
contains additional information about DHS's prior year IPIA PAR reporting 
and compliance issues reported by its independent auditor. 



Required Risk 
Assessments Not 
Completed for All 
Programs for Fiscal Year 
2006 



Although DHS made progress in identifying its programs in fiscal year 
2006, the agency did not perform a risk assessment for all programs and 
activities — covering approximately $13 billion of its more than $29 billion 
in disbursements subject to IPIA. According to DHS, this was primarily 
due to a lack of resources, guidance, and experience in performing this 
work. This was a major factor in the independent auditors' finding that 
DHS was noncompliant with IPIA for fiscal year 2006. DHS performed risk 
assessments (step 1) for programs accounting for approximately 
$16 billion of the $29 billion in disbursements subject to IPIA review. Of 
this $16 billion covered by risk assessments, approximately $7 billion 
related to FEMA's disaster relief programs that were found to be at high 
risk for issuing significant improper payments and therefore steps 2 
through 4 were completed to estimate improper payments, develop a plan 
to reduce improper payments, and report this information. This testing 
resulted in estimated improper payments issued by FEMA from 
September 2005 through March 2006 of $450 million (8.56 percent) of IHP 



DHS excluded payroll, intragovernmental, and travel payments from IPIA testing. 
According to DHS, these payments were excluded because of the following reasons: 
(1) payroll was excluded because DHS identified it as having a low level of risk due to the 
strong internal controls that result from payroll payments being administered by a third 
party, the National Finance Center; (2) intragovernmental payments were excluded as 
these do not result in net gains or losses to the federal government; and (3) travel payments 
are a small population and while they were not tested separately for IPIA purposes, they 
were tested as part of internal control reviews by individual components. In addition, 
purchase card transactions for the entire department were tested centrally by the U.S. 
Coast Guard (USCG) during fiscal year 2006. 
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assistance payments and $319 million (7.44 percent) of disaster-related 
vendor payments. 18 Although the necessary IPIA work — steps 1 and 2 — 
was completed for the two DHS high-risk programs, the time period 
covered for testing and reporting (i.e., September 2005 through 
March 2006) was not in accordance with OMB's implementing guidance, 
also contributing to DHS's reported noncompliance with IPIA. 19 The 
remaining programs with disbursements totaling $9 billion in 
disbursements were not found to be at risk for issuing significant improper 
payments and therefore DHS did not report improper payments for these 
programs. For some of its nondisaster programs, DHS performed 
statistical sample testing for those programs with disbursements greater 
than $100 million, without first performing a qualitative risk assessment 
such as an assessment of internal controls, oversight and monitoring 
activities, and results from external audits. While this approach is perhaps 
better than not doing any assessment, DHS officials concurred that it 
could be considered an inefficient use of resources, if a program is not at 
high risk. 

Table 1 shows DHS's population of programs identified for IPIA testing 
and the status of DHS's IPIA risk assessment process performed in fiscal 
year 2006. 



18 U.S. Department of Homeland Security, Performance and Accountability Report Fiscal 
Year 2006 (Washington, D.C.: Nov. 15, 2006). DHS also reported estimated improper 
payments for all of fiscal year 2006 for these two programs. However, DHS calculated the 
fiscal year 2006 estimates by applying the estimated error percentage rates from the 
September 2005 through March 2006 testing to the fiscal year 2006 outlay figures. The 
estimated error percentage rates for the September 2005 through March 2006 testing have a 
90 percent confidence interval of plus or minus 2.32 percentage points for IHP assistance 
payments and plus or minus 2.62 percentage points for disaster-related vendor payments 
based on statistically valid cluster samples. See IPIA reporting details in DHS's fiscal year 
2006 PAR. 

19 According to DHS, the agency chose to use this time period because it was the period of 
greatest payment activity following the 2005 Gulf Coast hurricanes. 
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Table 1 : DHS Fiscal Year 2006 IPIA Programs (based on fiscal year 2005 disbursements) 


Dollars in millions 


DHS IPIA program 


IPIA population" 


Risk assessment for fiscal year 2006 
Performed Not performed 11 


Customs and Border Protection (CBP) Custodial 8 


$ 1,116 


$ 1,116 




Other CBP programs 


1,713 


1,713 




Federal Air Marshals (FAM) 


318 




318 


Federal Emergency Management Agency (FEMA) disaster-related 
programs: 


Disaster Relief 


7,133 


7,133" 




Cerro Grande Fire Claims 


14 




14 


FEMA nondisaster programs 


4,803 




4,803 


Federal Law Enforcement Training Center (FLETC) programs 


139 


139 




Office of Grants and Training (GT) programs 


3,136 




3,136 


Immigration and Customs Enforcement (ICE) and ICE components: 1 


Salaries & Expenses 


953 


953 




Technology 


829 


829 




Federal Protective Service 


548 


548 




US-VISIT 


208 


208 




Other programs 


649 




649 


Transportation Security Administration (TSA): 


Original IPIA programs 9 


3,414 




1 ,384 9 


Revised IPIA programs: 


Grant programs 




343 




Nongrant programs 




1,687 




U.S. Coast Guard (USCG): 


Operating Expenses 


2,741 




2,741 


Acquisition, Construction & Improvements (reported as Contracts) 


867 


867 




Other" 


620 


620 




U.S. Secret Service (USSS) Operating Expenses 


83 


83 




Total IPIA program disbursements 


$ 29,284 


$16,239 


S 13,045 



Sources: DHS fiscal year 2006 IPIA programs {based on fiscal year 2005 disbursement populations) and GAO analysis of information 
provided by and reported by DHS. 

a CBP collects import duties, taxes, and fees on merchandise arriving in the United States from foreign 
countries, and subsequently transfers these receipts to other entities. Receipts of import duties and 
related refunds are presented in the statement of custodial activity in the DHS financial statements. 
CBP tested the custodial program as part of remediating the Custodial Revenue and Drawback 
material weakness. According to DHS, while this testing did not follow Appendix C to OMB Circular 
No. A-123, it did support the conclusion that this program is not at high risk for issuing improper 
payments as no significant improper payments as defined by OMB were identified. 
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"These disbursement amounts represent the original amounts provided by the DHS Program 
Management Office to the individual DHS components. Actual amounts used by the components as 
they performed additional analysis and testing may differ. Also, according to DHS, the disbursement 
amounts were based on Standard Form (SF) 133 outlay figures, and DHS found this to be 
problematic. DHS will address these problems during fiscal year 2007. 

c Unless otherwise noted, a risk assessment was performed for the IPIA program and the program 
was found to be not at high risk for issuing significant improper payments. 

"A risk assessment was not performed for the IPIA program and, according to its independent auditor, 
this contributed to DHS's noncompliance with IPIA in fiscal year 2006. 

6 A risk assessment was performed for the IPIA program and the program — which includes IHP 
assistance and disaster-related vendor payments — was found to be at high risk for issuing significant 
improper payments. Additional work was completed to estimate improper payments, develop a plan 
to reduce improper payments, and report this information. 

'ICE components include U.S. Citizenship and Immigration Services, the Management Directorate, 
the Science & Technology Directorate, the Office of Intelligence and Analysis, and the Border and 
Transportation Security Directorate, because ICE is the financial management provider for these 
components. 

'Based on additional information provided by DHS, USCG is TSA's accounting provider. USCG staff 
consolidated the TSA IPIA programs into one entitywide program which was then split into grant and 
nongrant segments. A risk assessment was performed for these two segments and neither was found 
to be at risk for significant improper payments. The reason for the consolidation was concern over 
insufficient time to complete testing of multiple TSA programs. According to DHS, components in the 
future will need to provide ample justification and receive formal DHS OCFO concurrence before 
program definitions can be changed. 

"According to USCG, once all payroll amounts are deducted, the total would be under $100 million. 

Since DHS did not perform the required first step — a risk assessment — on 
programs with approximately $13 billion of its more than $29 billion in 
disbursements subject to IPIA, it is unknown whether these programs are 
at high risk for issuing improper payments. 



Grant Programs Continue 
to Present a Challenge for 
IPIA Implementation 



DHS encountered challenges implementing IPIA for the programs with 
$13 billion of disbursements for which no risk assessment or testing was 
performed in fiscal year 2006. Over $6 billion of this amount related to 
payments for grant programs. The remaining $7 billion related primarily to 
FEMA nondisaster programs and TSA programs not categorized as grant 
or nongrant programs, and USCG operating expenses. DHS's grant 
programs include the NFIP, which had disbursements of over $3 billion 
that should have been included in DHS's IPIA population for review in 
fiscal year 2006. As we have previously reported, measuring improper 
payments and designing and implementing actions to reduce or eliminate 
them are not simple tasks, particularly for grant programs that rely on 
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quality administration efforts at the state level. 20 DHS has an even greater 
challenge in the diversity of recipients for its grants which include state 
and local governments, individuals, and other entities. During fiscal year 
2006, DHS awarded grants to over 5 million recipients 21 for 70 different 
grant programs, including state and local governments, nonprofits, and 
other entities and individuals. Although disbursements made related to 
these grants are subject to IPIA, as DHS has noted, performing risk 
assessments of grant programs and testing grant payments are difficult 
because of the many layers of grant recipients, as well as the type of 
recipients and number of grant programs. 

Developing a plan to assess risk and potentially test grant payments is 
important because of noted financial management weaknesses of DHS 
grantees. For example, DHS's independent auditors and the DHS OIG have 
reported grants management weaknesses in part because the agency did 
not adequately follow up on audit findings pertaining to grantees' potential 
improper payments. In addition, the DHS OIG identified grants 
management as a major management challenge facing the department. We 
have also identified the NFIP as a high-risk program. 22 A list of DHS's grant 
programs is presented in appendix IV. Appendix IV also shows the primary 
types of recipients and fiscal year 2006 award information for each grant 
program, as well as the component that administers the program. Given 
the identified weaknesses and the high-dollar amount, as well as the 
inherent risk associated with grant programs, it is important for DHS to 
assess grant programs for susceptibility to significant improper payments 
in accordance with IPIA. Assessing and, if necessary, testing these grant 
programs will allow DHS to gain an understanding of its risk in this area 
related to improper payments and potentially reduce future improper 
payments. 

During fiscal year 2006, DHS completed a risk assessment by performing 
sample testing for grants administered by the Transportation Security 



GAO, Improper Payments: Federal and State Coordination Needed to Report National 
Improper Payment Estimates on Federal Programs, GAO-06-347 (Washington, D.C.: 
Apr. 14, 2006). 

21 This amount includes both individual grant recipients as well as states and other entities. 

22 GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.: January 2007). We 
placed the National Flood Insurance Program (NFIP) on our high-risk list in March 2006 
because the NFIP will unlikely generate sufficient revenues to repay the billions borrowed 
from the Department of the Treasury to cover flood claims from the 2005 hurricanes. 
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Administration (TSA) with disbursements of about $343 million; however, 
the department was unable to perform an assessment of its grants 
programs administered by the Office of Grants and Training (GT). Of the 
approximately $13 billion for which DHS did not perform a risk 
assessment, over $3 billion related to grant programs administered by GT. 2; 
In addition to the NFIP, FEMA also administers other grant programs 
which, with the exception of IHP, 24 were not tested during fiscal year 2006. 
DHS identified three IPIA programs within GT, including Domestic 
Preparedness, State and Local Programs, and Firefighter Assistance 
Grants, totaling $3.1 billion of fiscal year 2005 disbursements for fiscal 
year 2006 IPIA testing; however, GT did not perform an assessment or 
complete statistical sample testing on these grants programs. In its fiscal 
year 2006 PAR, DHS reported that one complication that was not 
overcome was how to extend statistical sample testing to grant recipients. 
DHS also had difficulty testing its grant programs because of the large 
number of grant programs identified for testing based on DHS's guidance 
for fiscal year 2006 program identification and risk assessment 
methodology, which required that all programs with total disbursements 
exceeding $100 million be selected and statistically tested. DHS reported 
that one of the problems with its fiscal year 2006 IPIA methodology was 
that its risk assessments were based on strictly quantitative factors, 
instead of both qualitative and quantitative factors. Although OMB has not 
yet provided guidance as we have previously recommended, 25 DHS issued 
internal guidance recognizing the need to consider qualitative factors. 

One such qualitative factor that DHS could consider as part of its risk 
assessment process are the results of Single Audit Act, as amended, 26 
reports related to its grantees. During fiscal year 2006, DHS's independent 



During fiscal year 2007, FEMA underwent a reorganization and GT became a part of 
FEMA. Therefore, the grant functions for both components are now consolidated under 
FEMA. 

24 IHP payments are included in disaster assistance grants administered by FEMA. 

25 GAO, Improper Payments: Agencies' Fiscal Year 2005 Reporting under the Improper 
Payments Information Act Remains Incomplete, GAO-07-92 (Washington, D.C.: Nov. 14, 
2006). 

26 31 U.S.C. §§ 7501-7507. Under the Single Audit Act, as amended, and implementing 
guidance, independent auditors audit state and local governments and nonprofit 
organizations that expend federal awards to assess, among other things, compliance with 
laws, regulations, and the provisions of contracts or grant agreements material to the 
entities' major federal programs. Organizations are required to have single audits if they 
expend $500,000 or more in federal awards. 
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auditors reported that the agency was not in compliance with the Single 
Audit Act. According to the independent auditors' report, FEMA and TSA 
are required to comply with certain provisions of OMB Circular No. A-133, 
which requires agencies awarding grants to ensure they receive grantee 
reports timely and to follow-up on grantee single audit findings. Although 
certain procedures have been implemented to monitor grantees and their 
audit findings, the auditors noted that DHS did not have procedures in 
place to comply with these provisions in OMB Circular No. A-133 and 
follow up on questioned costs 27 and other matters identified in these 
reports. TSA has developed a corrective action plan to establish a new 
system and processes to track and review single audit reports, but FEMA 
has not completely developed its corrective action plans due to the 
previously mentioned organizational changes during fiscal year 2007. We 
identified 37 DHS grantees — with awards totaling $2.1 billion — that had 
single audit findings related to questioned costs for fiscal year 2005. Some 
examples of questioned costs described in audit reports follow. 

• One single audit report questioned $353,000 in unallowable charges for 
salaries and benefits due to a lack of adequate documentation. 

• One grantee had expenditures that did not have appropriate supporting 
documentation, with the questioned amount totaling almost $80,000. 

• Another grantee had costs of about $72,000 that were improperly charged 
to the grant program. 

• A third grantee over-claimed reimbursement amounts of about $4,000. 

The DHS OIG also conducts audits relating to the programs and operations 
of DHS, including grant programs. The DHS OIG reviews several factors to 
determine which activities to audit, including current or potential dollar 
magnitude, and reports or allegations of impropriety or problems in 
implementing the programs. The objectives of these grant program audits 
include determining whether the grantee accounted for and expended 
funds according to federal regulations and DHS guidelines. For certain 
grantees, the DHS OIG has found questioned costs such as excessive 
charges, duplicate payments, ineligible contractor costs, unsupported 
contractor and labor costs, and other expenditures. The following are 
examples of DHS OIG findings from fiscal years 2005 through 2007. 

• The DHS OIG found that one particular grantee had questioned costs of 
more than $1.8 million. 



A "questioned" cost is a finding which, at the time of the audit, is not supported by 
adequate documentation or is unallowable. 
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• The DHS OIG has also found instances where the grantee did not follow all 
federal procurement standards or DHS guidelines in awarding contracts, 
and needed improvements in procedures to make payments to 
subgrantees. One instance involved awarding contracts totaling more than 
$14 million and another instance involved more than $8 million in contract 
work. 

In an effort to address the agency's noncompliance with the Single Audit 
Act, as amended, DHS's Office of Grant Policy and Oversight (GPO) told 
us that it instituted an informal oversight process for single audits during 
fiscal year 2007 and is in the process of developing formal procedures. 
According to GPO, the development of this process is an attempt to 
address some of the grants management concerns that have been 
identified at DHS by its auditors and the DHS OIG. This monitoring 
process will help DHS to focus on audit findings at grantees and could 
help DHS with performing a risk assessment over grant programs for IPIA 
purposes by providing qualitative criteria. 



DHS has taken steps to address IPIA requirements, but the agency does 
not plan to be compliant in fiscal year 2007 and will likely not be 
compliant in fiscal year 2008. During fiscal year 2007, DHS prepared, and 
continues to refine, a departmentwide corrective action plan to address 
internal control weaknesses and noncompliance issues, including IPIA; 
however, the agency continues to encounter challenges in developing a 
plan to fully perform a risk assessment process. DHS used this corrective 
action plan to update its guidance and, according to DHS officials, the 
agency plans to focus on program identification and risk assessments 
during fiscal year 2007. Although DHS does not expect to be compliant in 
fiscal year 2007, focusing on these areas will help the agency build a solid 
foundation for its IPIA program. 

In addition to its overall corrective action plan to comply with IPIA, DHS, 
as required by IPIA and related OMB implementing guidance, has 
developed plans to reduce improper payments related to the two high-risk 
programs it has identified thus far. These plans include reducing manual 
processing, improving system interfaces, and clarifying roles and 
responsibilities. If properly executed, these plans should help reduce 
future improper payments in these programs by strengthening internal 
controls. With regard to system improvements, as we have previously 



While DHS Has 
Developed Plans to 
Address IPIA 
Requirements and 
Reduce Improper 
Payments, Full 
Implementation Will 
Be Longer Term 
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recommended, 28 DHS needs to conduct effective testing to provide 
reasonable assurance that the system will function in a disaster recovery 
environment. 



DHS has developed a corrective action plan to address the findings of its 
independent auditor, 29 including its noncompliance with IPIA. In its most 
recent audit report for fiscal year 2006, the auditor recommended that 
DHS follow OMB guidance 30 to complete the necessary susceptibility 
assessments, perform testwork over all material programs, and institute 
sampling techniques to allow for statistical projection of the results of its 
improper payments testing. 

In its IPIA corrective action plan, DHS documented the root causes that it 
believes have resulted in its noncompliance, and analyzed the key success 
factors, key performance measures, verification and validation 
procedures, risks, impediments, dependencies with other corrective 
actions, resources required, and critical milestones needed to become 
compliant with IPIA; however, implementation will take significant time 
and effort. DHS cited its lack of resources, guidance, and experience with 
IPIA to execute risk assessments as root causes for its noncompliance 
with IPIA. The corrective action plan identified the following items related 
to IPIA, including root causes. 



DHS Has Developed a 
Corrective Action Plan for 
Compliance with IPIA, 
but Implementation 
Challenges Remain 



GAO, Hurricanes Katrina and Rita: Unprecedented Challenges Exposed the Individuals 
and Households Program to Fraud and Abuse; Actions Needed to Reduce Such Problems 
in Future, GAO-06-1013 (Washington, D.C.: Sept. 27, 2006). 

29 OMB Circular No. A-50, Audit Followup (revised Sept. 29, 1982), requires agencies to 
develop corrective action plans to address audit findings, stating that corrective action 
taken by management on audit findings and recommendations is essential to improving the 
effectiveness and efficiency of government operations. According to OMB's guidance, each 
agency is required to establish systems to assure the prompt and proper resolution and 
implementation of audit recommendations. 

30 OMB Memorandum M-03-13, along with other improper payment guidance, was 
consolidated into Appendix C of OMB Circular No. A-123. Appendix C was in effect for 
fiscal year 2006. 
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Table 2: Summary of DHS's Corrective Action Plan for IPIA Compliance as of June 7, 2007 



Area 


Description 


Root rau^p 


• Lack of program-level financial reporting 




• Lack of experience and guidance with IPIA to execute risk assessments, which led to the 




absence of proper risk assessments 




• Difficulty in testing DHS grant programs 




• Hurricane Katrina effects that highlight internal control weaknesses over disbursements at FEMA 


l\cy OLUjOCOO Idt/LUlO 


• Define IPIA compliance criteria 




• ueiine iriM programs 




• Complete a rigorous risk assessment 




• ueveiop sample xesi pians ana execuie sampie xesiing 




• Establish a review program to ensure that an independent party reviews preparer responses 




• Develop a corrective action plan based on test results 




• Have components update these corrective action plans periodically 


Key performance measures 


• 100% identification of DHS population of programs for IPIA work 




• 1 00% completion of risk assessments by components 




• 100% completion of IPIA sample testing by July 31, 2007, for all components' high-risk programs 




• 1 00% oversight of component corrective action plans for high-risk programs 




• IPIA compliance guidance for fiscal year 2007 issued by May 31 , 2007 




• Completion of supplemental sample payment testing that confirms that corrective action plan 




targets for high-risk programs are being met or exceeded 




• Increase recoupment (recovery) for identified improper payments 




• Completion of secondary control of recovery audit for components with IPIA total disbursement 




populations above $500 million 




• Submission of corrective action plans for all high-risk IPIA programs by September 15, 2007 


Verification and validation 


• Confirm improper payment sample test populations tie to an independent verifiable source 




• Assess the operating effectiveness of sample test results 




• Confirm claimed recovery amounts are reflected in general ledger postings 




• Review recovery audit contract reports against general ledger balances to confirm 




comprehensiveness of work 




• Test common high-risk factors identified by sample test results after performing a cost-benefit 




analysis 


Risks, impediments, and 


• Grant impediment: legal and political restrictions, lack of guidance 


dependencies 


• Budgetary and financial system impediment 




• FEMA risk: breakdown of controls and scale of disbursements for Hurricane Katrina 




• Guidance risk: clarification of requirements in Appendix C to OMB Circular No. A-123 would be 




helpful 




• Sample design impediment: the trial balance data used for IPIA analysis does not readily yield 




true IPIA disbursement population amounts 




• Recovery audit impediment: security- and staffing-related issues have hampered the ability of 




recovery audit contractors 
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Area 



Description 



Resources required • DHS OCFO has hired contractor support to review DHS IPIA compliance guidance, provide IPIA 

training, review DHS component-completed risk assessments, and develop testing sample sizes 
to include in DHS component-developed test plans 

• DHS components will conduct the risk assessments and develop their own test plans for high-risk 
programs 

• FEMA hired contractor support to design and implement an improper payment test plan for 
Hurricane Katrina-related payments for individual housing programs, contracts, mission 
assignments, and grants 

• FEMA also hired a contractor to assist with IPIA program definitions and risk assessments for all 
FEMA programs 

Source: DHS Office of Financial Management, Improper Payments Information Act Corrective Action Plan Summary Report (as of 
June 7, 2007). 

DHS also identified critical milestones in its corrective action plan for IPIA 
compliance, including due dates and status. However, these efforts remain 
ongoing and DHS has already missed some milestones. For example, while 
DHS initially planned for each component to identify its IPIA programs 
and disbursement populations by January 2007, this milestone was 
delayed until June 2007. As of July 8, 2007, according to DHS, the agency 
was waiting for one component to submit its list of programs, and DHS 
was in the process of reviewing submissions from the other components. 
Because of such delays, DHS does not expect to be in compliance with 
IPIA in fiscal year 2007 and will likely be noncompliant in fiscal year 2008. 
DHS's updated critical milestones as of June 7, 2007, related to fiscal year 
2007 are presented in table 3. 



Table 3: Summary of Critical Milestones in DHS's Corrective Action Plan for IPIA 
Compliance Related to Fiscal Year 2007 


Topic 


Due date 


Completion 
status according 
to DHS 


Guidance and training: 


Update fiscal year 2007 IPIA PAR guidance 


2/1/2007 


Completed-100% 


Hold corrective action plan workshop on program 
identification and risk assessments for fiscal year 
2007 


5/30/2007 


Completed-100% 


Hold corrective action plan workshop on sample 
testing and reporting for fiscal year 2007 


6/29/2007 


Planning-25% 


Program identification: 


Program identification for fiscal year 2007 


6/15/2007 


In progress-50% 


Risk assessment: 


A-123 pilot for FEMA for fiscal year 2006 IPIA work 


11/15/2007 


In progress-50% 
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Topic 


Due date 


Completion 
status according 
to DHS 


Sample testing: 


Develop sample test plans for fiscal year 2007 IPIA 
work 


6/28/2007 


In progress-50% 


Complete sample test plans for fiscal year 2007 
IPIA work 


8/31/2007 


Not started-0% 


Generate programwide error estimates for fiscal 
year 2007 IPIA work 


9/14/2007 


Not started-0% 


Error analysis/corrective actions for high-risk 
programs: 


Implement corrective action plans for fiscal year 
2006 IPIA work 


11/15/2007 


Completed-100% 


Develop corrective action plans with projected error 
rate improvement for fiscal year 2007 IPIA work 


8/31/2007 


Not started-0% 


Implement corrective action plans for fiscal year 
2007 IPIA work 


11/15/2007 


Not started-0% 


Recovery audit/collections: 


Sign contract with recovery audit firm for fiscal year 
2007 


10/2/2006 


Completed-100% 


Receive progress updates and final report for fiscal 
year 2007 IPIA work 


9/30/2007 


In progress-50% 


PAR reporting: 


Provide OMB with a draft fiscal year 2007 PAR and 
address all OMB feedback 


10/19/2007 


Not started-0% 



Source: DHS Office of Financial Management, IPIA Corrective Action Plan Summary and Detailed Reports (as of June 7, 2007). 



DHS's planning and assessment process to develop its IPIA corrective 
action plan enabled the agency to update its guidance for its components 
and, according to DHS, the agency plans to focus on program 
identification and risk assessments during fiscal year 2007. Strengthening 
risk assessments and identifying potential improper payments are also 
important in order for DHS to begin taking steps to reduce improper 
payments and ultimately improve the integrity of the payments it makes. 
According to DHS officials, the department has been working in close 
consultation with OMB, sharing guidance documents, program test plans 
and results, and recovery audit status reports. Regardless of whether DHS 
is able to fully complete these efforts in fiscal year 2007, focusing on these 
areas will help the agency build a solid foundation for a sustainable IPIA 
program. 

The updated guidance was issued in May 2007 and is to be in effect for 
fiscal year 2007 reporting. In this revised guidance, DHS clarifies how its 
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components should identify their population of programs. In addition, 
DHS requires its components to perform a comprehensive risk assessment 
in order to identify programs susceptible to significant improper 
payments. DHS has designed a detailed methodology to conduct the IPIA 
risk assessment, and this methodology is outlined in the May 2007 
guidance. The methodology, which includes qualitative criteria, as we have 
previously discussed, involves the creation of a program risk matrix based 
upon specific risk elements that affect the likelihood of improper 
payments. Further, the guidance states that a program may be selected for 
testing even if it does not meet the quantitative or qualitative assessments, 
noting that it is entirely possible that the risk assessment process may not 
identify a program as high risk, but component management may believe a 
program is high risk due to a high-level public profile or known financial 
or regulatory issues (such as a high-profile contract). For those programs 
found to be at high risk for issuing improper payments, the guidance also 
provides instructions for estimating improper payments, implementing a 
plan to reduce improper payments, and reporting on this information. 
Each of these procedures outlined in the May 2007 guidance includes 
instructions to submit information or documentation to the Internal 
Controls over Financial Reporting (ICOFR) Program Management Office 
(PMO). 

DHS's May 2007 guidance for fiscal year 2007 also outlines possible 
alternative approaches for testing grants. One possible alternative is the 
complete documentation of the component's grant management process 
and the testing of internal controls. According to DHS, this approach helps 
the component identify specific weaknesses within the grant process, 
rather than sampling payments at random to determine potential errors. A 
second alternative is to perform a risk assessment on the program's grant 
portfolio. This alternative helps the program identify specific grants that 
may be more susceptible to improper payments. The identified grants 
would then be subject to improper payment sampling. If a component 
wishes to consider alternative approaches to grant sampling, an 
explanatory memorandum must be submitted to the ICOFR PMO for 
review and approval. If approved by the ICOFR PMO, DHS will submit the 
alternative approach request to OMB for review and approval. Also, OMB 



The ICOFR PMO, as discussed in the next section of this report, is an office within the 
DHS OCFO. 



Page 24 GAO-07-913 DHS Improper Payments 



has reported 32 that the Chief Financial Officers (CFO) Council 33 continues 
to play a critical role in efforts to address and reduce improper payments 
through its Improper Payments Transformation Team. This group has been 
collaborating with nongovernmental entities to consolidate 
governmentwide best practices; enumerate legislative and regulatory 
barriers that hinder program integrity efforts; and develop forums where 
federal and state stakeholders from the program, audit, and financial 
communities work together to solve program integrity challenges. These 
activities could provide guidance to help DHS determine how to best test 
its grant programs. 

DHS also plans to hold workshops for its components on statistical sample 
testing and reporting to ensure that they have a consistent understanding 
of what is expected with regard to IPIA testing and reporting. Although 
DHS does not expect to be in compliance with IPIA in fiscal year 2007, 
completing a thorough risk assessment process is an important first step. 



DHS Has a Broader 
Initiative to Resolve 
Internal Control 
Weaknesses across the 
Department 



In addition to developing the corrective action plans described, DHS has a 
broader initiative to resolve material internal control weaknesses and 
build management assurances across the department. During fiscal year 
2007, DHS established the ICOFR PMO as a new office within the DHS 
OCFO. The ICOFR PMO is responsible for departmentwide 
implementation of OMB Circular No. A-123. In March 2007, DHS issued the 
ICOFR Playbook, which outlines the department's strategy and processes 
to resolve material weaknesses and build management assurances and 
incorporates the departmentwide corrective action plans, which contain 
more detailed information. The ICOFR PMO is responsible for the ICOFR 
Playbook and, according to DHS, the agency will update the ICOFR 
Playbook each year, establishing milestones and focus areas that will be 
tracked during the year. One section of the ICOFR Playbook relates to 
IPIA testing, and it discusses the actions taken by DHS in fiscal year 2006 
to meet IPIA requirements. This section also states that DHS will develop 
policies and procedures to integrate the requirements of OMB's 
implementing guidance for IPIA into annual component management 



OMB, Improving the Accuracy and Integrity of Federal Payments (Washington, D.C.: 
Jan. 31, 2007). 

33 The CFO Council is an organization comprised of the CFOs and Deputy CFOs of the 24 
CFO Act agencies, and senior officials in OMB and the Department of the Treasury who 
work collaboratively to improve financial management in the U.S. government. 
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assurances of compliance with significant laws and regulations, as part of 
DHS management's assertion on internal controls over financial reporting 
and in an effort to strengthen internal controls to support DHS's mission. 
In addition to management providing an assertion on internal controls 
over financial reporting, DHS is required to obtain a related auditor's 
opinion. 34 Incorporating IPIA into this guidance will increase the likelihood 
of successful implementation and could also strengthen related internal 
controls. 

The ICOFR Playbook draws attention to the process of addressing IPIA 
requirements across the department. By successfully addressing the 
requirements of IPIA, DHS will be in a better position to take steps to 
reduce improper payments, as the ultimate goal of IPIA reporting is to 
improve the integrity of payments that the agency makes. Further, DHS 
has testified that to ensure the long-term effectiveness of the department's 
efforts to reduce improper payments, DHS requested resources in its fiscal 
year 2008 budget to hire additional staff so that it can enhance risk 
assessment procedures and conduct oversight and review of component 
test plans. 



DHS Has Developed Plans 
to Reduce Improper 
Payments for FEMA's Two 
Disaster-Related Programs, 
but Effects Remain 
Unknown 



In addition to its overall corrective action plan to comply with IPIA, DHS, 
as required by IPIA and related OMB implementing guidance, has 
developed plans to reduce improper payments related to the two high-risk 
programs it identified in its fiscal year 2006 testing — FEMA's IHP 
assistance payments and disaster-related vendor payment programs. These 
plans highlighted improving internal controls to prevent improper 
payments in each of these programs. 

FEMA's testing of its two high-risk disaster-related programs identified 
several key internal control weaknesses, including ineffective system 
controls to review data for potential duplications and inconsistently 
applied standards for supporting evidence and documentation. To address 
these findings, FEMA initiated corrective action plans aimed at reducing 
improper payments by strengthening internal controls. These plans 
included validating Social Security numbers during telephone registration, 
increasing IT systems capabilities to handle high volume during a 
catastrophic disaster, and enhancing post-payment reviews. Our prior 



14 31 U.S.C. 3516(f)(2). 



Page 26 



GAO-07-913 DHS Improper Payments 



reporting 35 also identified significant internal control deficiencies in the 
IHP program. 

To address OMB's reporting requirements on actions for reducing 
improper payments, DHS included in its fiscal year 2006 PAR corrective 
action plans for IHP assistance payments and disaster-related vendor 
payments. For each of the two high-risk programs, DHS prepared a 
schedule of corrective action plans with target completion dates. For the 
IHP program, DHS included corrective action plans that were already 
completed in addition to those in process and planned. DHS has also 
established critical milestones for reducing improper, disaster-related 
vendor payments. During fiscal year 2007, DHS updated and tracked its 
corrective action plan critical milestones. Details of these corrective 
action plan critical milestones can be found in appendix V. 

Based on DHS's updated corrective action plan report for IHP, as of 
May 14, 2007, DHS had not completed certain critical milestones by the 
identified target date. These milestones included system interface 
improvements and certain contract awards. Missing these established 
critical milestones delays strengthening internal controls that are 
necessary to reduce future improper payments, and therefore it is 
important that DHS stays on track in implementing its corrective action 
plans. 

DHS also noted that human capital is the principal requirement to execute 
these two corrective action plans; however, according to DHS, exact 
requirements are not estimable at this time. With regard to system 
improvements, as we have previously recommended, 36 DHS needs to 
conduct effective testing to provide reasonable assurance that the system 
will function in a disaster recovery environment. 



35 See, for example, GAO, Expedited Assistance for Victims of Hurricanes Katrina and 
Rita: FEMA's Control Weaknesses Exposed the Government to Significant Fraud and 
Abuse, GAO-06-655 (Washington, D.C.: June 16, 2006); Hurricanes Katrina and Rita 
Disaster Relief: Improper and Potentially Fraudulent Individual Assistance Payments 
Estimated to Be Between $600 Million and $1.4 Billion, GAO-06-844T (Washington, D.C.: 
June 14, 2006); and Expedited Assistance for Victims of Hurricanes Katrina and Rita: 
FEMA's Control Weaknesses Exposed the Government to Significant Fraud and Abuse, 
GAO-06-403T (Washington, D.C.: Feb. 13, 2006). 

36 GAO, Hurricanes Katrina and Rita: Unprecedented Challenges Exposed the Individuals 
and Households Program to Fraud and Abuse; Actions Needed to Reduce Such Problems 
in Future, GAO-06-1013 (Washington, D.C.: Sept. 27, 2006). 
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DHS's Efforts to 
Comply with the 
Recovery Auditing 
Act and to Recover 
Improper Payments 
Need to Be Enhanced 



For the last 3 years, DHS has contracted with a recovery auditing firm to 
perform recovery audit work to comply with the Recovery Auditing Act; 
however, activities in this area could be improved. Specifically, DHS 
encountered problems that kept it from reporting on recovery audit efforts 
during fiscal year 2006. DHS was not able to report recovery audit results 
in fiscal year 2006 for three of the four components it identified as meeting 
the criteria for recovery auditing as specified in the Recovery Auditing Act 
(i.e., over $500 million in contractor payments) due to problems obtaining 
disbursement data and delays in obtaining security clearances for contract 
personnel. In addition, DHS did not perform recovery auditing efforts at 
the fourth component identified as meeting the criteria. Further, DHS has 
not yet reported on its efforts to recover improper payments identified 
during its testing of FEMA's disaster-related vendor payments and has 
reported limited information on its efforts to recover identified improper 
IHP assistance payments. 



In March 2007, DHS revised its internal guidance for recovery auditing for 
fiscal year 2007 to discuss the issues encountered in previous years and to 
emphasize timelines to help ensure that all applicable components are 
able to report. This guidance clarifies what is expected of applicable 
components, but ongoing oversight within the OCFO will be necessary to 
ensure that components are progressing with their recovery auditing 
efforts and will be able to successfully report on the results of these 
efforts at year end. In addition, DHS's updated guidance does not require 
components to report on efforts to recover improper payments identified 
during IPIA testing. Reporting this information in the annual PAR would 
provide a more complete picture of the agency's actions to recover 
payments that it has identified as being improper. 



Recovery Auditing Efforts As an executive branch agency, DHS is required to perform recovery 

at DHS Could Be Improved audits under certain conditions as specified by the Recovery Auditing Act. 

Beginning with fiscal year 2004, OMB required that applicable agencies 
publicly report on their recovery auditing efforts as part of their PAR 
reporting of improper payment information. Agencies are required to 
discuss any contract types excluded from review and justification for 
doing so. Agencies are also required to report, in table format, various 
amounts related to contracts subject to review and actually reviewed, 
contract amounts identified for recovery and actually recovered, and 
prior-year amounts. 

DHS took steps to identify and recover improperly disbursed funds by 
hiring an independent contractor who conducted recovery audit work at 



Page 28 



GAO-07-913 DHS Improper Payments 



two major components, ICE and CBP. DHS began recovery auditing 
efforts during fiscal year 2004 but was not able to report on these efforts 
for that year because initial findings were not available in time to be 
included in the annual PAR. This recovery audit work continued during 
fiscal year 2005 and covered all fiscal year 2004 disbursements to 
contractors from these two components, ultimately identifying more than 
$2.1 million of improper payments and recovering more than $1.2 million, 
as reported in DHS's fiscal year 2005 PAR. While DHS was able to recover 
about 55 percent of improper payments identified through its recovery 
audit efforts, based on our review of other agencies, we have previously 
questioned 37 whether agency amounts identified for recovery should have 
been much higher, which would thereby significantly decrease the agency- 
specific and overall high rate of recovery. 

According to DHS's fiscal year 2006 PAR reporting, recovery audit 
contract work over fiscal year 2005 disbursements began in fiscal year 
2005 at CBP and ICE, and DHS extended its recovery audit work to 
include USCG in fiscal year 2006. Delays in obtaining security clearances 
for contract personnel severely hampered completion of recovery audit 
work at CBP and ICE. Delays in supplying needed disbursement 
information hindered recovery audit work at USCG. As a result, DHS was 
not able to provide conclusive recovery audit summary results for fiscal 
year 2006 PAR reporting. According to DHS, four of its components — ICE, 
CBP, USCG, and FEMA — meet the criteria for recovery auditing as 
specified in the Recovery Auditing Act (i.e., each has over $500 million in 
contractor payments). ICE, CBP, and USCG entered into the same 
recovery audit contract. FEMA's recovery audit work in fiscal year 2006 
was part of a pilot study on internal controls over improper payments for 
IHP assistance and disaster-related vendor payments. In the aftermath of 
Hurricane Katrina, DHS and FEMA, with the assistance of a contractor, 
conducted an internal controls assessment related to improper IHP 
assistance and disaster-related vendor payments. Although this 
assessment identified improper payments, DHS has not yet reported on its 
efforts to recover improper payments identified during its testing of 
FEMA's disaster-related vendor payments and has reported limited 
information, such as the dollar amount of improper payments approved 



GAO, Improper Payments: Agencies' Fiscal Year 2005 Reporting under the Improper 
Payments Information Act Remains Incomplete, GAO-07-92 (Washington, D.C.: Nov. 14, 
2006). 



Page 29 



GAO-07-913 DHS Improper Payments 



for recovery and the amount returned to FEMA, related to its efforts to 
recover improper IHP payments. 



Of the 3 years agencies have been required to report on recovery audits in 
table format, DHS was only able to report required recovery audit data in 
its fiscal year 2005 PAR. 38 Table 4 presents DHS's recovery audit efforts 
and results for fiscal years 2004 through 2006. 



Table 4: Recovery Audit Results for Fiscal Years 2004 through 2006 


PAR 

fiscal 
year 


Agency-reported amount 
subject to review for fiscal 
year reporting 


Agency-reported actual 
amount reviewed and 
reported in fiscal year 


Agency-reported 
amount identified for 
recovery in fiscal year 


Agency-reported 
amount recovered 
in fiscal year 


Related 
components 


2004 


(not reported) 


(not reported) 


(not reported) 


(not reported) 


CBP, ICE a 


2005 


$3,232,300,000 


$3,232,300,000 


$2,191,000 


$1,207,000 


CBP, ICE 


2006 


(not reported) 


(not reported) 


(not reported) 


(not reported) 


CBP, ICE, and 
USCG b 



Sources: DHS Performance and Accountability Reports for 2004, 2005, and 2006. 

a DHS contracted for recovery audit work at CBP and ICE; however, DHS was not able to provide 
recovery audit results for fiscal year 2003 disbursements in its fiscal year 2004 PAR. 

"DHS contracted for recovery audit work at CBP, ICE, and USCG; however, DHS was not able to 
provide recovery audit results for fiscal year 2005 disbursements in its fiscal year 2006 PAR. 



DHS has recently revised and clarified its internal guidance related to 
recovery auditing for fiscal year 2007 to discuss prior issues and 
emphasize timelines to help ensure that all applicable components are 
able to complete recovery audits and report on their efforts. The new 
guidance requires that applicable DHS components provide the ICOFR 
PMO with a general description and evaluation of the steps taken to carry 
out a recovery auditing program. Components are required to include a 
discussion of any security clearance requirements and show that there is 
sufficient time to allow contractors to complete audit recovery work in 
time to meet PAR reporting deadlines. Every update should include the 
total amount of contracts subject to review, the actual amount of contracts 
reviewed, the amount identified for recovery, and the amounts actually 
recovered in the current year. The year-end update should include a 



Subsequent to issuing its fiscal year 2006 PAR, DHS reported recovery audit amounts to 
OMB for inclusion in OMB's governmentwide reporting of fiscal year 2006 recovery 
auditing information. 



DHS's Internal Guidance 
for Recovering Improper 
Payments Has Been 
Revised but Additional 
Information Could Be 
Reported 
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corrective action plan to address the root causes of payment errors. A 
general description and evaluation of any management improvements to 
address flaws in a component's internal controls over contractor payments 
discovered during the course of implementing a recovery audit program, 
or other control activities over contractor payments, is also required. This 
guidance applies to the four DHS components — CBP, FEMA, ICE, and 
USCG — that meet Recovery Auditing Act criteria. In addition, according to 
DHS, the ICOFR PMO may expand recovery audit contracting to other 
components as the benefits of this work become clearer. Although DHS's 
guidance clarifies what is expected of components, ongoing oversight 
within the OCFO will be necessary to ensure that the components are 
progressing with their recovery auditing efforts and will be able to 
successfully report on results at year end. 

In addition to specific recovery audit work to identify improper payments 
made to contractors, DHS also identifies improper payments through its 
IPIA testing. For example, as discussed previously, DHS's testing in fiscal 
year 2006 of its two high-risk programs identified improper IHP assistance 
payments and disaster-related vendor payments made by FEMA. However, 
DHS's internal guidance does not require components to include 
information in its annual PAR related to its efforts to recover improper 
payments identified during IPIA testing and, as a result, DHS has not yet 
reported on its efforts to recover improper disaster-related vendor 
payments identified and has reported limited information on its efforts to 
recover identified improper IHP assistance payments. Having components 
report this information in the annual PAR would provide a more complete 
picture of the agency's actions to recover payments that it has identified as 
being improper. 



Although DHS has made some progress in implementing the requirements 
of IPIA, challenges remain in ensuring that all DHS programs and 
activities, including grant programs, have been reviewed to determine 
their susceptibility to significant improper payments and tested, if 
applicable. As DHS continues to improve its IPIA efforts and identify and 
test its high-risk programs, the agency should be better able to identify, 
and ultimately strengthen controls, to reduce improper payments. 

While preventive internal controls should be maintained as the agency's 
front-line defense against making improper payments, recovery auditing 
holds promise as a cost-effective means of identifying contractor 
overpayments. In addition, reporting on efforts to recover any other 
specific improper payments identified would provide a more complete 
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picture of the agency's actions to recover payments that it has identified as 
being improper. With the ongoing imbalance between revenues and 
outlays across the federal government, and the Congress's and the 
American public's increasing demands for accountability over taxpayer 
funds, identifying, reducing, and recovering improper payments become 
even more critical. 



Recommendations for ^° ™P rove ^ s efforts to implement IPIA and recover improper 

payments, we recommend that the Secretary of Homeland Security direct 
Executive Action the Chief Financial Officer to take the following actions. 

(1) Maintain oversight and control over critical milestones identified in the 
DHS corrective action plan for IPIA compliance so that DHS components 
stay on track, specifically in regard to identifying programs and 
performing risk assessments and any related testing. 

(2) Require all applicable components to determine and document how 
they plan to assess their grant programs to determine whether they are at 
high risk for issuing significant improper payments, and, if necessary, test 
these grant programs. 

(3) Provide oversight and monitor the progress of all applicable DHS 
components to successfully perform and report on their recovery auditing 
efforts. 

(4) Similar to the required reporting on efforts to recover improper 
payments made to contractors under the Recovery Auditing Act, develop 
procedures for reporting in its annual PAR on the results of yearly efforts 
to recover any other known improper payments identified under IPIA, by 
the DHS OIG, or other external auditors. 



We requested comments on a draft of this report from the Secretary of 
Homeland Security. These comments are reprinted in appendix II. DHS 
concurred with the recommendations in our report. DHS noted that 
significant actions under way include strengthening the department's 
financial management and oversight functions to improve the DHS control 
environment and implementing risk assessments to build a foundation for 
a sustainable IPIA program. 



Agency Comments 
and Our Evaluation 
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As agreed with your offices, unless you publicly announce its contents 
earlier, we plan no further distribution of this report until 30 days after its 
date. At that time, we will send copies of this report to the Secretary of 
Homeland Security and other interested parties. Copies will also be made 
available to others upon request. In addition, this report will also be 
available at no charge on GAO's Web site at http://www.gao.gov. 

If you or your staff have any questions regarding this report, please 
contact me at (202) 512-9095 or at williamsml@gao.gov. Contact points for 
our Offices of Congressional Relations and Public Affairs may be found on 
the last page of this report. GAO staff who made contributions to this 
report are listed in appendix VI. 




McCoy Williams 

Director, Financial Management and Assurance 
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Appendix I: Scope and Methodology 



To determine to what extent the Department of Homeland Security (DHS) 
has implemented the requirements of the Improper Payments Information 
Act of 2002 (IPIA), we compared the IPIA legislation, and the related 
Office of Management and Budget (OMB) implementing guidance, with 
DHS improper payment risk assessment methodologies, and IPIA 
Performance and Accountability Report (PAR) information for fiscal years 
2004 through 2006. To analyze DHS risk assessment compliance with IPIA, 
we obtained and reviewed documents regarding its regulations and 
methodology for identifying programs and activities highly susceptible to 
improper payments. We reviewed DHS's PARs, Office of Inspector General 
(OIG) semiannual reports to the Congress, and GAO reports for fiscal 
years 2004 through 2006 for improper payment information. We also 
reviewed procedures performed by DHS's independent financial statement 
auditor related to DHS's compliance with IPIA. 

We reviewed the programs that DHS identified as its IPIA population and 
analyzed the risk assessments that were performed during fiscal year 2006. 
This allowed us to determine which components did not perform a risk 
assessment and which programs were not covered. During our review, we 
noted that the Office of Grants and Training (GT), a DHS component, did 
not perform an assessment or complete payment statistical sample testing 
on its grants programs for fiscal year 2006 as required of all DHS programs 
issuing more than $100 million of IPIA relevant payments in fiscal year 
2005. To analyze improper payments related to DHS grantees and highlight 
the importance of performing IPIA testing in this area, we obtained and 
reviewed fiscal year 2005 single audit reports of these entities. We used 
fiscal year 2005 reports because that is the most recent year for which 
complete audit results have been posted to the Federal Audit 
Clearinghouse (FAC). 1 We also reviewed GAO reports and DHS OIG 
Financial Assistance (Grants) Reports for fiscal year 2005 through fiscal 
year 2007 to identify weaknesses reported at DHS grantees. In addition, we 
reviewed DHS OIG Management Reports (audits and inspections) for 
fiscal year 2005 through fiscal year 2007 that were related to grants and 
DHS OIG semiannual reports to the Congress for fiscal years 2005 and 
2006 to identify questioned costs related to DHS grantees. 



lr rhe FAC's primary purposes are to (1) disseminate audit information to federal agencies 
and the public, (2) support OMB oversight and assessment of federal award audit 
requirements, (3) assist federal cognizant and oversight agencies in obtaining OMB Circular 
No. A-133 data and reporting packages, and (4) help auditors and auditees minimize the 
reporting burden of complying with Circular No. A-133 audit requirements. 
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Appendix I: Scope and Methodology 



To identify what actions DHS has under way to improve IPIA compliance 
and reporting, we interviewed DHS staff in the Office of the Chief 
Financial Officer and reviewed DHS corrective action plans and the 
Internal Controls Over Financial Reporting (ICOFR) Playbook. We also 
reviewed DHS's IPIA implementing guidance for fiscal year 2007 — revised 
in March 2007 and May 2007 — and determined whether it was consistent 
with IPIA requirements. We discussed these revisions with improper 
payment and financial management officials from DHS to inquire about 
what is currently being implemented and what will be implemented in the 
future to ensure compliance with DHS's revised internal guidance. 

To determine what efforts DHS has in place to recover improper 
payments, we compared section 831 of the National Defense Authorization 
Act for Fiscal Year 2002, commonly known as the Recovery Auditing Act, 
and the related OMB implementing guidance, with DHS recovery auditing 
procedures and PAR-reported information for fiscal year 2006. We also 
reviewed DHS PARs, OIG semiannual reports to the Congress, and GAO 
reports for fiscal years 2004 through 2006 for recovery audit information. 

To assess the reliability of data reported in DHS's PARs related to 
improper payments and recovery audit efforts, we (1) reviewed existing 
information about the data and the system that produced them and 
(2) interviewed agency officials knowledgeable about the data. Based on 
these assessments, we determined that the data were sufficiently reliable 
for the purposes of this report. We conducted our work from October 2006 
through June 2007 in accordance with generally accepted government 
auditing standards. We requested comments on a draft of this report from 
the Secretary of Homeland Security or his designee. The Director, 
Departmental GAO/OIG Liaison Office, provided written comments, which 
are presented in the Agency Comments and Our Evaluation section of this 
report and are reprinted in appendix II. 
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Appendix II: Comments from the Department 
of Homeland Security 



U.S. Department of Homeland Security 

Washington, DC 20528 



4Slt^ Homeland 
Security 



August 30, 2007 



Mr. McCoy Williams 
Director, Financial Management 
And Assurance 
U.S. Government Accountability Office 
Washington, DC 20548 

Dear Mr. Williams: 

Thank you for the opportunity to comment upon the draft GAO Report: "Department of 
Homeland Security Challenges in Implementing the Improper Payments Information Act 
and Recovering Improper Payments" GAO-07-913. 

We concur with the report's four recommendations and we will implement corrective 
actions to address the challenges raised in the report. Highlights of significant actions 
currently underway include strengthening the Department's Financial Management and 
Oversight functions to improve the DHS control environment and implementing risk 
assessments to build a foundation for a sustainable IPIA program. 

We also appreciate the balanced tone of the report and acknowledgement of our efforts. 
In closing, we look forward to continuing our efforts to enhance the accuracy and 
integrity of federal payments. 



Sincerely, 

Steven J. Pecinovsky 
Director 

Departmental GAO/OIG Liaison Office 



www.dhs.gov 
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Appendix III: Prior-Year IPIA Reporting by 
DHS and Its Independent Auditor 



Table 5 presents information on prior-year IPIA reporting by DHS, 
including compliance issues reported by the independent auditor. 



Table 5: Prior- Year IPIA Reporting by DHS 



Fiscal 
year 



Description of DHS IPIA PAR reporting 



Compliance issues reported by the independent auditor 



2004 DHS's PAR presented a completed IPIA risk matrix for all 
DHS programs exceeding $100 million in nonpayroll 
annual disbursements. Programs were defined using the 
Future Years Homeland Security Program (FYHSP) 
system. If a program did not reach a $100 million 
nonpayroll fiscal year 2005 operating budget level, the 
program was judged too small to be at risk for annually 
issuing $10 million in improper payments. According to 
DHS, payroll disbursements were excluded because of 
their repetitive, stable nature and the extensive internal 
controls they are subjected to by the National Finance 
Center. An overall risk score was assigned to each 
FYHSP by evaluating internal control, human capital, 
programmatic risk, and materiality of operating budget risk 
factors. The fiscal year 2004 risk matrix identified no high- 
risk IPIA programs. 



The independent auditor reported that DHS did not comply 
with IPIA. Specifically, DHS did not 

• properly define programs and activities, 

• institute a systematic method of reviewing all programs 
and identifying those it believed were susceptible to 
significant erroneous payments, and 

• properly sample or compute the estimated dollar amount 
of improper payments. 

The auditor recommended that DHS follow the guidance 
provided in OMB M-03-13 in fiscal year 2005, including 
reexamining the definition of a program, completing the 
necessary susceptibility assessments, instituting sampling 
techniques to allow for statistical projection of the results, 
and providing information for proper disclosure in its PAR. 



DHS defined IPIA programs by Treasury Appropriation 
Fund Symbol (TAFS). This change in program definition 
reflected the absence of FYHSP detail and the presence 
of TAFS detail at the transaction level and avoided testing 
issues stemming from FYHSP cost allocations. Each 
component sample tested major payment categories for 
the largest TAFS provided that total disbursements 
exceeded $100 million exclusive of payroll and 
intragovernmental payments. An exception was made for 
one component, FEMA, which tested a TAFS that was 
involved in an improper payment related OIG finding for 
the Individuals and Households Program (IHP). Fiscal year 
2005 sample testing identified no high-risk IPIA programs. 



The auditor identified the following instances of 
noncompliance with IPIA at DHS. Specifically, DHS did not 

• institute a systematic method of reviewing all programs 
and identifying those it believed were susceptible to 
significant erroneous payments; and 

• perform testwork to evaluate improper payments for all 
material programs; testing was only performed over the 
TAFS with the largest disbursements for each component 
or the largest TAFS maintained by an internal DHS 
accounting service provider. 

The auditor recommended that DHS follow the guidance 
provided in OMB M-03-13 in fiscal year 2006, including 
completing the necessary susceptibility assessments, 
performing testwork over all material programs, and 
instituting sampling techniques to allow for statistical 
projection of the results. 
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Fiscal 
year 



Description of DHS IPIA PAR reporting 



Compliance issues reported by the independent auditor 



2006 DHS defined IPIA programs by management-identified 
groupings of TAFS. These groupings were designed to 
meet the draft Appendix C definition of an IPIA program 
(Appendix C was issued August 10, 2006). Sample test 
plans were designed by a statistical team which used 
stratified sampling techniques. Sample sizes both in 
number of payments and amount of payments increased 
dramatically compared with previous years. Two programs 
were found to be at high risk for issuing improper 
payments — FEMA's IHP and disaster-related vendor 
payments. Corrective action plans were developed for 
each. IPIA problems included (1) required sample testing 
was not completed for all programs, (2) sample test design 
was hampered by the use of SF-133 outlay figures during 
IPIA program identification, (3) risk assessments were 
based on strictly quantitative factors, and (4) recovery 
audit results were not complete enough to report in the 
PAR. 



The auditor identified the following instances of 
noncompliance with IPIA at DHS and its components. 

• Not all programs subject to IPIA were tested, and the 
population of disbursements tested for some programs 
was not complete. 

• In some cases, the samples tested were not statistically 
derived, and thus, identified errors could not be 
statistically projected to the entire population of 
disbursements (including the untested portion). 

• In some cases, the personnel performing the testwork 
were not knowledgeable or trained on the purpose or 
procedures to be performed. 

• The time period from which disbursements were selected 
for testwork was not always in compliance with IPIA 
requirements. For example, the auditor noted that one 
component limited the time period of disbursement 
samples to October 2005 through March 2006. (Note: 
The actual time period also included September 2005 but 
the auditors did not note this as an exception). 

• Centralized monitoring was not performed over the IPIA 
results to ensure that IPIA testing was completed for all 
required programs in accordance with the department's 
requirements. 

The auditor recommended that DHS follow the guidance 
provided in OMB M-03-13 in fiscal year 2007, including 
completing the necessary susceptibility assessments, 
performing testwork over all material programs, and 
instituting sampling techniques to allow for statistical 
projection of the results of its improper payments testing. 



Source: DHS Performance and Accountability Reports. 
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Table 6 provides a list of DHS grant programs, primary recipients, and 
award information for fiscal year 2006. 



Table 6: DHS Grant Programs and Related Information 





DHS component 


CFDA 
number Program 


Primary 
recipients 


Number 
of awards 

VI CI WCII Uw 

in fiscal 
year 2006 


Fiscal year 2006 
award amount 


award 
amount 


1 


Citizenship & Immigration 
Services (CIS) 


97.009 Cuban/Haitian Entrant 
Program 


Nonprofit 
organizations 


2 


$10,292,085 


$5,146,043 


2 


Federal Emergency 
Management Agency 

tlVIAJ — IMOnulSaSTGr 


97.017 Pre-Disaster Mitigation 
Competitive Grants 


States and Indian 
tribal 

governments 


74 


126,245,825 


1,706,025 


3 




97.023 Community Assistance 
Program State Support 
Services Element 


States 


64 


7,500,000 


117,188 


A 
4 




97.024 Emergency Food and 
Shelter National Board 
Program 


Community 
groups 


H 
\ 


\ Oi ,4/ o, /DO 


H CH /1"7Q 

\ 01 ,4/ o, /DO 


c 
o 




y/.u^o National uroan oearcn 
and Rescue Response 
System 


State and local 
governments 


\ UU 


on A QO 1 AO 




6 




97.026 Emergency Management 
Institute (EMI) Training 
Assistance 


Individuals 


3,424 a 


1,421,511 


415 


7 




97.027 EMI Independent Study 
Program 


Individuals 


3,729,647 a 


884,090 


< 1 


8 




97.028 EMI Resident Educational 
Program 


Individuals 


13,605 a 


3,006,705 


221 


9 




97.029 Flood Mitigation 
Assistance 


States and 
communities 


83 


17,473,353 


210,522 


10 




97.041 National Dam Safety 
Program 


States 


51 


3,374,476 


66,166 


11 




97.045 Cooperating Technical 
Partners 


States and 
communities 


86 


54,139,208 


629,526 


12 




97.047 Pre-Disaster Mitigation 


State and Indian 
tribal 

governments 


178 


134,880,496 


757,756 


13 




97.070 Map Modernization 

Management Support 


States and 
communities 


69 


9,769,657 


141,589 


14 




97.082 Earthquake Consortium 


State, local, and 
Indian tribal 
governments 


3 


850,000 


283,333 



15 97.095 Safe Kids Worldwide Communities 1 199,480 199,480 
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DHS component 


CFDA 
number 


Program 


Dpi mqm 

rnrnary 
recipients 


Number 
of awards 

in Tiscai 
year 2006 


riscai year ^uuo 
award amount 


Average 
award 
amount 


16 


FEMA — Disaster 

■ Accictanro 
Mbblbldi lOU 


97.022 


Flood Insurance 


Individuals 


30,995 a 


848,691,742 


27,382 


17 


97.030 Community Disaster 
Loans 


Local 

governments 


153 


1,270,501,241 


8,303,930 


18 




97.032 Crisis Counseling 


States 


26 


96,148,654 


3,698,025 


19 




97.033 


Disaster Legal Services 


Individuals 


T 


360,611 


51,516 


20 




97.034 


Disaster Unemployment 
Assistance 


States 


33 


392,016,043 


1 1 ,879,274 


21 




97.036 


Disaster Grants— Public 
Assistance (also includes 
Emergency Assistance 
and Fire Suppression) 


State, local, and 
Indian tribal 
governments 


66,797 


8,138,441,132 


121,838 


22 




97.039 


Hazard Mitigation 


State, local, and 
Indian tribal 
governments 


1,268 


401,694,926 


316,794 


23 




97.046 


Fire Management 
Assistance 


State and Indian 
tribal 

governments 


319 


68,143,552 


213,616 


24 




97.048 


Disaster Housing 
Assistance to Individuals 
and Households in 
Presidential Declared 
Disaster Zones" 


Individuals 


866,268 a 


2,637,939,099 


3,045 


25 




97.049 


Presidential Declared 
Disaster Assistance — 
Disaster Housing 
Operations for Individuals 
and Households" 


States and other 
entities 


123 


4,773,963,866 


38,812,714 


26 




97.050 


Presidential Declared 


Individuals 


706,760 a 


2,247,028,347 


3,179 



Disaster Assistance to 
Individuals and 
Households — Other 
Needs" 



27 




97.084 Hurricane Katrina Case 
Management Initiative 
Program 


Private nonprofit 
entities 


1 


66,000,000 


66,000,000 


28 




97.092 Repetitive Flood Claims 


States, Indian 
tribal 

governments, 
and communities 


39 


9,821,659 


251,837 


29 




97.098 Disaster Donations 

Management Program 


State and local 
governments 


1 


950,000 


950,000 


30 


FEMA— Chemical 
Programs 


97.040 Chemical Stockpile 

Emergency Preparedness 
Program 


State, local, and 
Indian tribal 
governments 


21 


65,010,240 


3,095,726 
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DHS component 


CFDA 
number Program 


Primary 
recipients 


Number 
of awards 

in fiscal 
year 2006 


Fiscal year 2006 
award amount 


Average 
award 
amount 


31 


FEMA— U.S. Fire 
Administration 


97.001 Pilot Demonstration or 
Earmarked Projects 


Nonfederal 
entities 


8 


1,184,999 


148,125 


32 




97.016 Reimbursement for 

Firefighting on Federal 
Property 


Fire departments 


2 


1,243 


622 


33 




97.018 National Fire Academy 
Training Assistance 


Individuals 


5,948 a 


1,464,314 


246 


34 




97.019 National Fire Academy 
Educational Program 


Individuals 


75,107 a 


5,236,342 


70 


35 




97.043 State Fire Training 
Systems Grants 


States 


48 


1,344,000 


28,000 


36 




97.093 Fire Service Hazardous 
Materials Preparedness 
and Response 


Private nonprofit 
entities 


1 


50,000 


50,000 


37 




97.094 Prevention Advocacy 
Resources and Data 
Exchange Program 


State and local 
governments 


7 


21,000 


3,000 


38 




97.097 Training Resource and 
Data Exchange 


State and local 
governments 


9 


93,000 


10,333 


39 


Federal Law 
Enforcement Training 
Center (FLETC) 


97.081 Law Enforcement Training 
and Technical Assistance 


Individuals 


1 ,579 a 


1,136,880 


720 


40 


Office of Grants and 
Training (GT) d 


97.005 State and Local Homeland 
Security Training Program 


State and local 
governments 


13 


82,207,860 


6,323,682 


41 




97.007 Homeland Security 

Preparedness Technical 
Assistance Program 


State and local 
governments 


4 


16,692,768 


4,173,192 


42 




97.008 Urban Areas Security 
Initiative 8 


State and local 
governments 











43 




97.042 Emergency Management 
Performance Grants 


State, local, and 
Indian tribal 
governments 


58 


177,655,500 


3,063,026 


44 




97.044 Assistance to Firefighters 


Fire departments 


4,246 


270,622,058 


63,736 


45 




97.053 Citizen Corps 8 


State and local 
governments 


3 


1 ,295,000 


431,667 


46 




97.056 Port Security Grant 
Program 


Seaports and 
terminals 


99 


168,052,500 


1,697,500 


47 




97.057 Intercity Bus Security 


Bus systems 


36 


9,603,000 


266,750 



Grants 
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DHS component 


CFDA 
number Program 


i i hi idi y 

recipients 


Number 
of awards 

in fiQf*al 

III 1 1 oLidl 

year 2006 


nioLrdi ycdi cuuo 

award amount 


Average 

CI VVCII u 

amount 


to 




/ i i u^i\ ocbuiiiy r i uy i di 1 1 


uUI 1 II 1 Id Isl&l 

motor carriers 
and national 
transportation 
community 


-| 






49 




97.067 Homeland Security Grant 
Program 


State and local 
governments 


56 


1,670,921,920 


29,837,891 


50 




97.068 Competitive Training 
Grants 


State and local 
governments 


11 


28,809,000 


2,619,000 


51 




97.071 Metropolitan Medical 
Response System 8 


Local and Indian 
tribal 

governments 











52 




97.073 State Homeland Security 
Program 8 


State and local 
governments 











53 




97.074 Law Enforcement 

Terrorism Prevention 
Program 8 


State and local 
governments 











54 




97.075 Rail and Transit Security 
orani r rug ram 


Transportation 
sysiems 


21 


143,240,948 


6,820,998 


55 




97.078 Buffer Zone Protection 
Plan 


State and local 
governments 


62 


72,965,000 


1,176,855 


56 




97.083 Staffing for Adequate Fire 
and Emergency Response 


Local 

communities 


243 


99,394,888 


409,032 


57 




97.089 Real ID Program 


States and other 
entities 


2 


6,000,000 


3,000,000 


58 


Information Analysis and 
Infrastructure Protection 


97.079 Public Alert Radios for 
Schools 


Schools 


77,035 


1 ,828,045 


24 


59 


SHpnrp ft Tprhnnlnnv 

OOICI IVrC LX 1 COI II lUIUUy 

(S&T) 


Q7 0fi1 Center'; fnr Homeland 

\J 1 . \J \J A VCI 1 LCI O \\J\ 1 \\J\ \ \\j\CX\ \KJ 

Security 


1 1 S in^titi itinn 6 ; 
of higher 
education 


8 


24 570 000 


3 071 250 


60 




97.062 Scholars and Fellows 


Individuals 


383 a 


10,436,453 


27,249 


61 




97.069 Aviation Research Grants 


U.S. institutions 
of higher 
education 


36 


11,824,817 


328,467 


62 




97.077 Homeland Security 

Testing, Evaluation, and 
Demonstration of 
Technologies 


Nonfederal 
entities 


5 


1 ,298,590 


259,718 


63 




97.086 Homeland Security 

Outreach, Education, and 
Technical Assistance 


Federal and 

nonfederal 

entities 


10 


9,626,326 


962,633 


64 




97.091 Homeland Security 
Biowatch Program 


State and local 
governments 


52 


45,661,986 


878,115 
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DHS component 


CFDA 
number 


Program 


Primary 
recipients 


Number 
of awards 

in fiscal 
year 2006 


Fiscal year 2006 
award amount 


Average 
award 
amount 


65 Transportation Security 
Administration (TSA) 


97.072 


National Explosives 
Detection Canine Team 
Program 


Transportation 
systems 


17 


2,132,055 


125,415 


66 


97.090 


Law Enforcement Officer 
Reimbursement 
Agreement Program 


State and local 
governments 


274 


67,804,209 


247,461 


67 


97.100 Airport Checked Baggage 
Screening Program 


State, local, or 
other public 
entities 


7 


240,447,289 


34,349,613 


68 U.S. Coast Guard 
(USCG) 


97.012 


Boating Safety Financial 
Assistance 


States and 

nonprofit 

organizations 


79 


87,667,046 


1,109,709 


69 U.S. Secret Service 
(USSS) 


97.015 


Secret Service Training 
Activities 


Sworn members 
of a law 
enforcement 
agency 


n/a' 


n/a 


n/a 


70 


97.076 


National Center for 
Missing and Exploited 
Children 


Private nonprofit 
entities 


1 


5,445,000 


5,445,000 


Total-all DHS components 








5,585,670 


$24,849,239,441 




Awards to individuals 9 








5,433,723 






Awards to others 








151,947 







Sources: Fiscal Year 2006 Funded Award Summary for DHS Grant Programs; Schedule of DHS Programs as of May 9, 2007. 



"This amount reflects either individual claims, payments to individuals, or individuals that received 
training. 

"This grant program is part of the Individuals and Households Program (IHP). 

Confederal entities include state, local government, private, public, profit or nonprofit organizations, 
Indian Tribal government, or individuals specified in a U.S. appropriation statute. 

d GT was incorporated into FEMA as of March 31 , 2007. 

"This grant program is incorporated into the Homeland Security Grant Program. 

'According to DHS, the USSS provides training as part of its routine work and does not report this 
information separately. 
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Table 7 describes the details of the open corrective action plan critical 
milestones as of May 14, 2007, as reported by DHS, for reducing improper 
IHP assistance payments. 



Table 7: DHS's Incomplete Critical Milestones for Its IHP Corrective Action Plan, 
Status as of May 14, 2007 


Topic 


Target 
date 


Completion 
status according 
to DHS 


If the Office of General Counsel (OGC) approves, 
provide the contractor with requirements and obtain 
information from them regarding their ability to pre- 
populate insurance data in applicant files. 


September 
2006 


0% 


Improve the National Emergency Management 
Information System (NEMIS) accounts receivable — 
Integrated Financial Management Information 
System (IFMIS) interface. 


November 
2006 


50% 


Ensure compliance with rules and regulations is part 
of the annual NEMIS audit. 


December 
2006 


50% 


Explore alternate receipt posting possibilities using 
electronic files. 


March 2007 


25% 


Award contract(s) for up to 6,000 call center agents 
to private sector business(es). 


March 2007 


50% 


Note: The previous items were past due as of May 14, 2007. 


Conduct a second round of IPIA testing on Hurricane 
Katrina IHP payments made between March and 
September 2006. 


June 2007 


50% 


Put in place a contract for data verification and pre- 
population of verified data. 


September 
2007 


50% 


Make appropriate updates to NEMIS to ensure 
maximum use of technology to reduce manual 
processing. 


September 
2007 


50% 


Improve communications with and messaging to 
disaster victims. 


September 
2007 


50% 


Clarify with OGC if FEMA can get legislative backing 
to allow the collection of insurance policy data. 


December 
2007 


50% 


Limit access to NEMIS to users authorized via the 
Integrated Security and Access Control System. 


January 2008 


47% 


Integrate shelter tracking mechanisms into NEMIS. 


January 2008 


25% 



Source: DHS's IPIA Corrective Action Plan Summary and Detailed Reports for FEMA's IHP as of May 14, 2007. 



Based on DHS's updated corrective action plan report for IHP, as of 
May 14, 2007, DHS had not completed certain critical milestones by the 
identified target date. These milestones included system interface 
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improvements and certain contract awards. Missing these established 
critical milestones only delays strengthening internal controls that are 
necessary to reduce future improper payments. It is important that DHS 
stays on track in implementing its corrective action plans. 

DHS has also established critical milestones for reducing improper 
disaster-related vendor payments. Table 8 describes the details of the open 
corrective action plan critical milestones as of May 14, 2007, as reported 
by DHS for reducing improper disaster-related vendor payments. 



Table 8: DHS's Incomplete Critical Milestones for Its Disaster-Related Vendor 
Payments Corrective Action Plan, Status as of May 14, 2007 


Topic 


Target 
date 


Completion 
status according 
to DHS 


Ensure roles and responsibilities with regard to invoice 
receipt, approval, and payment of contracting officer 
technical representatives (COTR), project officers, and 
accounting technicians are clearly defined by 
conducting a review of policies, procedures, and job 
descriptions. 


May 2007 


50% 


Review procurement language to ensure consistency 
and adequacy for similar goods and services related to 
product substitution and pricing variances. 


May 2007 


50% 


Formalize the process of receipt, issue, and follow-up 
on invoices with COTRs and project officers by finance 
office. 


May 2007 


50% 


Train accounting technicians, project officers, and 
COTRs on the importance of an invoice review and 
approval process and expectations regarding 
supporting documentation, prompt pay, product 
substitution, price variances, and unsupported 
amounts. 


June 2007 


50% 


Initiate a quality assurance sampling process for 
invoices on a periodic basis with emphasis on 
adherence to metrics published in the fiscal year 2006 
PAR. 


June 2007 


50% 


Enter into a contract with a recovery audit firm. 


June 2007 


0% 


Identify vendor payments eligible for recoupment 
(recovery). 


July 2007 


50% 



Source: DHS's IPIA Corrective Action Plan Summary and Detailed Reports for FEMA's Disaster Relief Fund Vendor Payments as of 
May 14, 2007. 



DHS identified three primary root causes for why these two programs — 
IHP assistance payments and disaster-related vendor payments — are at 
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high risk of issuing improper payments. According to DHS, these root 
causes include the following. 

• People — FEMA employees were not properly trained. 

• Processes — The nature of FEMA's work responding to disasters explains 
the reliance on people that are not trained in finance requirements and are 
dispersed throughout areas with limited infrastructure. 

• Policies — Policies were cited as possibly inadequate for instructing 
employees on the proper supporting documentation. There is a need for 
clear policy and procedural guidelines that sets standard operating 
procedures for all FEMA employees, especially those outside the finance 
area. 

DHS also noted that human capital is the principal requirement to execute 
these two corrective action plans; however, according to DHS, exact 
requirements are not estimable at this time. These plans, if properly 
executed, should help reduce future improper payments in these programs 
by strengthening internal controls. With regard to system improvements, 
as we have previously recommended, 1 DHS needs to conduct effective 
testing to provide reasonable assurance that the system will function in a 
disaster recovery environment. 



^AO, Hurricanes Katrina and Rita: Unprecedented Challenges Exposed the Individuals 
and Households Program to Fraud and Abuse; Actions Needed to Reduce Such Problems 
in Future, GAO-06-1013 (Washington, D.C.: Sept. 27, 2006). 
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